[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5576 Introduced in House (IH)]
<DOC>
115th CONGRESS
2d Session
H. R. 5576
To address state-sponsored cyber activities against the United States,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 18, 2018
Mr. Yoho (for himself, Mr. Royce of California, Mr. Engel, Mr. Sherman,
Mr. Langevin, Mr. Chabot, Mr. Poe of Texas, Mr. Fitzpatrick, Mr.
Meadows, and Mr. Castro of Texas) introduced the following bill; which
was referred to the Committee on Foreign Affairs, and in addition to
the Committees on Financial Services, Oversight and Government Reform,
and the Judiciary, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To address state-sponsored cyber activities against the United States,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Deterrence and Response Act of
2018''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) On February 13, 2018, the Director of National
Intelligence stated in his testimony before the Senate Select
Committee on Intelligence that ``Russia, China, Iran, and North
Korea will pose the greatest cyber threats to the United States
during the next year'' through the use of cyber operations as
low-cost tools of statecraft, and assessed that these states
would ``work to use cyber operations to achieve strategic
objectives unless they face clear repercussions for their cyber
operations''.
(2) The 2017 Worldwide Threat Assessment of the United
States Intelligence Community stated that ``The potential for
surprise in the cyber realm will increase in the next year and
beyond as billions more digital devices are connected--with
relatively little built-in security--and both nation states and
malign actors become more emboldened and better equipped in the
use of increasingly widespread cyber toolkits. The risk is
growing that some adversaries will conduct cyber attacks--such
as data deletion or localized and temporary disruptions of
critical infrastructure--against the United States in a crisis
short of war.''.
(3) On March 29, 2017, President Donald J. Trump deemed it
necessary to continue the national emergency declared in
Executive Order 13694 as ``Significant malicious cyber-enabled
activities originating from, or directed by persons located, in
whole or in substantial part, outside the United States,
continue to pose an unusual and extraordinary threat to the
national security, foreign policy, and economy of the United
States.''.
(4) On January 5, 2017, former Director of National
Intelligence, James Clapper, former Undersecretary of Defense
for Intelligence, Marcel Lettre, and the Commander of the
United States Cyber Command, Admiral Michael Rogers, submitted
joint testimony to the Committee on Armed Services of the
Senate that stated ``As of late 2016 more than 30 nations are
developing offensive cyber attack capabilities'' and that
``Protecting critical infrastructure, such as crucial energy,
financial, manufacturing, transportation, communication, and
health systems, will become an increasingly complex national
security challenge.''.
(5) There is significant evidence that hackers affiliated
with foreign governments have conducted cyber operations
targeting companies and critical infrastructure sectors in the
United States as the Department of Justice has announced that--
(A) on March 24, 2016, seven Iranians working for
Iran's Revolutionary Guard Corps-affiliated entities
were indicted for conducting distributed denial of
service attacks against the financial sector in the
United States from 2012 to 2013; and
(B) on May 19, 2014, five Chinese military hackers
were charged for hacking United States companies in the
nuclear power, metals, and solar products industries,
and engaging in economic espionage.
(6) In May 2017, North Korea released ``WannaCry'' pseudo-
ransomware, which posed a significant risk to the economy,
national security, and the citizens of the United States and
the world, as it resulted in the infection of over 300,000
computer systems in more than 150 countries, including in the
healthcare sector of the United Kingdom, demonstrating the
global reach and cost of cyber-enabled malicious activity.
(7) In June 2017, Russia carried out the most destructive
cyber-enabled operation in history, releasing the NotPetya
malware that caused billions of dollars' worth of damage within
Ukraine and across Europe, Asia, and the Americas.
SEC. 3. ACTIONS TO ADDRESS STATE-SPONSORED CYBER ACTIVITIES AGAINST THE
UNITED STATES.
(a) Designation as a Critical Cyber Threat.--
(1) In general.--The President, acting through the
Secretary of State, shall designate as a critical cyber
threat--
(A) each foreign person and each agency or
instrumentality of a foreign state that the President
determines to be responsible for or complicit in, or
have engaged in, directly or indirectly, state-
sponsored cyber activities that are reasonably likely
to result in, or have contributed to, a significant
threat to the national security, foreign policy, or
economic health or financial stability of the United
States and that have the purpose or effect of--
(i) causing a significant disruption to the
availability of a computer or network of
computers;
(ii) harming, or otherwise significantly
compromising the provision of service by, a
computer or network of computers that support
one or more entities in a critical
infrastructure sector;
(iii) significantly compromising the
provision of services by one or more entities
in a critical infrastructure sector;
(iv) causing a significant misappropriation
of funds or economic resources, trade secrets,
personal identifiers, or financial information
for commercial or competitive advantage or
private financial gain;
(v) destabilizing the financial sector of
the United States by tampering with, altering,
or causing a misappropriation of data; or
(vi) interfering with or undermining
election processes or institutions by tampering
with, altering, or causing misappropriation of
data;
(B) each foreign person that the President has
determined to have knowingly materially assisted,
sponsored, or provided financial, material, or
technological support for, or goods or services to or
in support of, any activities described in subparagraph
(A) by a foreign person or agency or instrumentality of
a foreign state designated as a critical cyber threat
under subparagraph (A);
(C) each agency or instrumentality of a foreign
state that the President has determined to have
materially assisted, sponsored, or provided financial,
material, or technological support for, or goods or
services to or in support of, any activities described
in subparagraph (A) by a foreign person or agency or
instrumentality of a foreign state designated as a
critical cyber threat under subparagraph (A);
(D) each foreign person that the President has
determined to have attempted to engage in any of the
activities described in subparagraph (A) or (B); or
(E) each agency or instrumentality of a foreign
state that the President has determined to have
attempted to engage in any of the activities described
in subparagraph (A) or (C).
(2) Publication in federal register.--The President shall--
(A) publish in the Federal Register a list of each
foreign person and each agency or instrumentality of a
foreign state designated as a critical cyber threat
under this subsection; and
(B) regularly update such list not later than seven
days after making any changes to the list.
(b) Non-Travel-Related Sanctions.--
(1) In general.--The President shall impose one or more of
the applicable sanctions described in paragraph (2) with
respect to each foreign person and each agency or
instrumentality of a foreign state designated as a critical
cyber threat under subsection (a).
(2) Sanctions described.--The sanctions described in this
paragraph are the following:
(A) The President may provide for the withdrawal,
limitation, or suspension of non-humanitarian United
States development assistance under chapter 1 of part I
of the Foreign Assistance Act of 1961.
(B) The President may provide for the withdrawal,
limitation, or suspension of United States security
assistance under part II of the Foreign Assistance Act
of 1961.
(C) The President may direct the United States
executive director to each international financial
institution to use the voice and vote of the United
States to oppose any loan from the international
financial institution that would benefit the designated
foreign person or the designated agency or
instrumentality of a foreign state.
(D) The President may direct the Export-Import Bank
of the United States, the Overseas Private Investment
Corporation, or any other United States Government
agency not to approve the issuance of any (or a
specified number of) guarantees, insurance, extensions
of credit, or participations in the extension of
credit.
(E) The President may, pursuant to such regulations
or guidelines as the President may prescribe, prohibit
any United States person from investing in or
purchasing significant amounts of equity or debt
instruments of the designated foreign person or the
designated agency or instrumentality of a foreign
state.
(F) The President may, pursuant to such regulations
or guidelines as the President may prescribe, prohibit
any United States agency or instrumentality from
procuring, or entering into any contract for the
procurement of, any goods, technology, or services, or
classes of goods, technology, or services, from the
designated foreign person or the designated agency or
instrumentality of a foreign state.
(G) The President may order the heads of the
appropriate United States agencies to not issue any (or
a specified number of) specific licenses, and to not
grant any other specific authority (or a specified
number of authorities), to export any goods or
technology to the designated foreign person or the
designated agency or instrumentality of a foreign state
under--
(i) the Export Administration Act of 1979
(as continued in effect pursuant the
International Emergency Economic Powers Act);
(ii) the Arms Export Control Act;
(iii) the Atomic Energy Act of 1954; or
(iv) any other statute that requires the
prior review and approval of the United States
Government as a condition for the export or re-
export of goods or services.
(H)(i) The President may exercise all of the powers
granted to the President under the International
Emergency Economic Powers Act (50 U.S.C. 1701 et seq.)
(except that the requirements of section 202 of such
Act (50 U.S.C. 1701) shall not apply) to the extent
necessary to block and prohibit all transactions in
property and interests in property of the designated
foreign person if such property and interests in
property are in the United States, come within the
United States, or are or come within the possession or
control of a United States person.
(ii) The penalties provided for in subsections (b)
and (c) of section 206 of the International Emergency
Economic Powers Act (50 U.S.C. 1705) shall apply to a
person that violates, attempts to violate, conspires to
violate, or causes a violation of regulations
prescribed under clause (i) to the same extent that
such penalties apply to a person that commits an
unlawful act described in subsection (a) of such
section 206.
(I) The President may, pursuant to such regulations
as the President may prescribe, prohibit any transfers
of credit or payments between one or more financial
institutions or by, through, or to any financial
institution, to the extent that such transfers or
payments are subject to the jurisdiction of the United
States and involve any interest of the designated
foreign person.
(c) Travel-Related Sanctions.--
(1) Aliens ineligible for visas, admission, or parole.--An
alien who is designated as a critical cyber threat under
subsection (a) is--
(A) inadmissible to the United States;
(B) ineligible to receive a visa or other
documentation to enter the United States; and
(C) otherwise ineligible to be admitted or paroled
into the United States or to receive any other benefit
under the Immigration and Nationality Act (8 U.S.C.
1101 et seq.).
(2) Current visas revoked.--The issuing consular officer,
the Secretary of State, or the Secretary of Homeland Security
(or a designee of either such Secretaries) shall revoke any
visa or other entry documentation issued to the foreign person
designated as a critical cyber threat under subsection (a)
regardless of when issued. A revocation under this clause shall
take effect immediately and shall automatically cancel any
other valid visa or entry documentation that is in the
possession of such foreign person.
(d) Additional Sanctions With Respect to Foreign States.--
(1) In general.--The President may impose any of the
sanctions described in paragraph (2) with respect to the
government of each foreign state that the President has
determined aided, abetted, or directed a foreign person or
agency or instrumentality of a foreign state designated as a
critical cyber threat under subsection (a).
(2) Sanctions described.--The sanctions referred to in
paragraph (1) are the following:
(A) The President may provide for the withdrawal,
limitation, or suspension of non-humanitarian or non-
trade-related assistance United States development
assistance under chapter 1 of part I of the Foreign
Assistance Act of 1961.
(B) The President may provide for the withdrawal,
limitation, or suspension of United States security
assistance under part II of the Foreign Assistance Act
of 1961.
(C) The President may instruct the United States
Executive Director to each appropriate international
financial institution to oppose, and vote against the
extension by such institution of any loan or financial
or technical assistance to the government of the
foreign state.
(D) No item on the United States Munitions List
(established pursuant to section 38 of the Arms Export
Control Act (22 U.S.C. 2778)) or the Commerce Control
List set forth in Supplement No. 1 to part 774 of title
15, Code of Federal Regulations, may be exported to the
government of the foreign state.
(E) The President may, pursuant to such regulations
as the President may prescribe, prohibit any
transactions in foreign exchange that are subject to
the jurisdiction of the United States and in which the
government of the foreign state has any interest.
(F) The President may, pursuant to such regulations
as the President may prescribe, prohibit any transfers
of credit or payments between one or more financial
institutions or by, through, or to any financial
institution, to the extent that such transfers or
payments are subject to the jurisdiction of the United
States and involve any interest of the government of
the foreign state.
(e) Exemptions, Waivers, and Removals of Sanctions and
Designations.--
(1) Exemptions.--
(A) Mandatory exemptions.--The following activities
shall be exempt from sanctions under subsections (b),
(c), and (d):
(i) Activities subject to the reporting
requirements of title V of the National
Security Act of 1947 (50 U.S.C. 413 et seq.),
or to any authorized intelligence activities of
the United States.
(ii) Any transaction necessary to comply
with United States obligations under the
Agreement between the United Nations and the
United States of America regarding the
Headquarters of the United Nations, signed June
26, 1947, and entered into force on November
21, 1947, or under the Vienna Convention on
Consular Relations, signed April 24, 1963, and
entered into force on March 19, 1967, or under
other international agreements.
(2) Waiver.--The President may waive, on a case-by-case
basis, the imposition of sanctions for a period of not more
than one year, and may renew that waiver for additional periods
of not more than one year, any sanction or penalty under this
section if the President submits to the appropriate
congressional committees a written determination that the
waiver meets one or more of the following requirements:
(A) The waiver is important to the economic or
national security interests of the United States.
(B) The waiver will further the enforcement of this
Act or is for an important law enforcement purpose.
(C) The waiver is for an important humanitarian
purpose.
(3) Removals of sanctions and designations.--The President
may prescribe rules and regulations for the removal of
sanctions under subsections (b), (c), and (d) and the removal
of designations under subsection (a) if the President
determines that a foreign person, agency or instrumentality of
a foreign state, or government of a foreign state subject to
such sanctions, as the case may be, has verifiably ceased its
participation in any of the conduct with respect to which the
foreign person, agency or instrumentality of a foreign state,
or government of a foreign state, as the case may be, was
subject to sanctions under this section and has given
assurances that it will no longer participate in such conduct.
(4) Exception to comply with united nations headquarters
agreement.--Sanctions under subsection (c) shall not apply to a
foreign person if admitting the foreign person into the United
States is necessary to permit the United States to comply with
the Agreement regarding the Headquarters of the United Nations,
signed at Lake Success June 26, 1947, and entered into force
November 21, 1947, between the United Nations and the United
States, or other applicable international obligations.
(f) Briefing to Congress.--
(1) In general.--Not later than 180 days after the date of
the enactment of this section, and periodically thereafter, the
President shall provide to the appropriate congressional
committees a briefing on state-sponsored cyber activities
against the United States.
(2) Matters to be included.--The briefing required by
paragraph (1) shall, include the following, to the extent the
information is available:
(A) A list of foreign states that continue to aid,
abet, or direct any foreign person or agency or
instrumentality of a foreign state to carry out state-
sponsored cyber activities against the United States,
including--
(i) a list of entities within the United
States critical infrastructure that are
believed to have been, or are currently still,
subject to state-sponsored cyber activities by
each such foreign state; and
(ii) a list of such foreign persons and
agencies and instrumentalities of foreign
states that the President has reason to believe
are engaging, or have engaged in, state-
sponsored cyber activities against the United
States but are not currently designated under
subsection (b).
(B) A list of the foreign persons and agencies and
instrumentalities of foreign states with respect to
which the imposition of sanctions were waived or
removed under subsection (f).
(C) A summary of any efforts made by the Government
of the United States to resolve and bring an immediate
end to state-sponsored cyber activities against the
United States that could result in the designation as a
critical cyber threat under subsection (a).
(g) Definitions.--In this section:
(1) Admitted; alien.--The terms ``admitted'' and ``alien''
have the meanings given such terms in section 101 of the
Immigration and Nationality Act (8 U.S.C. 1101).
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Foreign Affairs, the Committee
on Financial Services, the Committee on the Judiciary,
the Committee on Oversight and Government Reform, and
the Committee on Homeland Security of the House of
Representatives; and
(B) the Committee on Foreign Relations, the
Committee on Banking, Housing, and Urban Affairs, the
Committee on the Judiciary, and the Committee on
Homeland Security and Governmental Affairs of the
Senate.
(3) Agency or instrumentality of a foreign state.--The term
``agency or instrumentality of a foreign state'' has the
meaning given such term in section 1603(b) of title 28, United
States Code.
(4) Critical infrastructure sector.--The term ``critical
infrastructure sector'' means any of the designated critical
infrastructure sectors identified in the Presidential Policy
Directive entitled ``Critical Infrastructure Security and
Resilience'', numbered 21, and dated February 12, 2013.
(5) Foreign person.--The term ``foreign person'' means--
(A) an individual who is not a United States
citizen or an alien lawfully admitted for permanent
residence to the United States; or
(B) an entity that is not a United States person.
(6) Foreign state.--The term ``foreign state'' has the
meaning given such term in section 1603(a) of title 28, United
States Code.
(7) Knowingly.--The term ``knowingly'', with respect to
conduct, a circumstance, or a result, means that a person has
actual knowledge, or should have known, of the conduct, the
circumstance, or the result.
(8) Misappropriation.--The term ``misappropriation'' means
taking or obtaining by improper means, without permission or
consent, or under false pretenses.
(9) State-sponsored cyber activities.--The term ``state-
sponsored cyber activities'' means any cyber-enabled activities
that--
(A) are carried out by an agency or instrumentality
of a foreign state; or
(B) are carried out by a foreign person that is
aided, abetted, or directed by a foreign state or an
agency or instrumentality of a foreign state.
(10) United states person.--The term ``United States
person'' means--
(A) a United States citizen or an alien lawfully
admitted for permanent residence to the United States;
or
(B) an entity organized under the laws of the
United States or of any jurisdiction within the United
States, including a foreign branch of such an entity.
<all>